The Seventh Law

Many participants in this discussion have talked about how “identity is contextual”. The extreme argument is made by Scott C. Lemon, who posits in his second axiom that “identity does not exist outside the context of a community”. And Jamie Lewis has said “Context is Everything” when rapping on the Fourth Law (er Principle) of Identity. He gives some good examples, too:

I’m an audio/video enthusiast (my wife would say freak), so I’m a member of the Audio Visual Sciences Forum. I self-asserted my identity when I signed up, and that’s fine for the AVSForum. As long as I play by the forum’s rules, the folks that run the forum are fine with me being around using whatever identity I’ve established for myself. The reputation system inherent in the AVSForum takes care of many governance problems. The forum’s moderators and administrators step in with full authority when they have to.

But will self-assertion alone work for my bank? Hopefully not (or I need to change banks). Yes, the AVS Forum could rely on the identity my bank issues, but I might not want to use such an unambiguous (and valuable) identity in that social context. And why should AVSForum do that anyway? The cost could well outweigh any benefits it may gain. Once you get past registration, you get to the differences in policies (credential type and strength), attributes, and the management systems necessary to propagate and use identity in each of these very different contexts. In large part, these things must be need-driven, and one size will not fit all…

In other words, identity is the most contextual element you can possibly imagine; in fact, all social interaction is highly contextual, especially online. Who we choose to be, what of ourselves we choose to share, what faces we choose to show, depend entirely on the context in which we’re operating.

It stands to reason, then, that domains of activity will emerge, and they will have their own identity mechanisms, probably their own identifier, which will be unique and appropriate within the context of that given domain.

Several of the Laws of Identity capture the objective constraints implied by these observations. The Third Law talks about limiting the disclosure of identifying information to “parties having a necessary and justifiable place in a given identity relationship.” That relationship is clearly a context. The Fourth Law explains why a metasystem should be able to support “unidirectional identitifiers” for use in private relationships, which again are specific contexts. And the Fifth Law states the need for a pluralistic metasystem in which different technical systems run by different parties must coexist, again for use in appropriate contexts.

But now let's get a bit more concrete. Let's project ourselves into a future where we have a bunch of contextual identities. I'll carry on where Jamie left off and pick an arbitrary set of identities that seems pretty convenient:

browsing: a self-asserted identity for exploring the web (giving away no real data)

personal: a self-asserted identity for sites with which I want an ongoing but private relationship (including my name and a long-term email address)

community: a public identity for collaborating with others and bloggling (includes my community name and its long-term email address)

professional: a public identity for collaborating issued by my employer

credit card: an identity issued by my bank

citizen: an identity issued by my government

Things might be pretty simple if everyone chose the same set of identities that I use. But of course they don't. Jamie doesn't use a self-asserted personal identity. My brother's employer doesn't issue professional identities. Marc hasn't applied for a citizen identity, and doesn't plan to. So we have a mishmash of possibilities for identifying ourselves.

Now, you are not going to believe this, but this mishmash is good. It is in accordance with our diversity. We don't need to freak out about it. We need to accept it.

How do you deal with diversity?

Let's begin by assuming that diversity does not present a technical problem. I know this will be a stretch at first, but bear with me until “tomorrow”: let's look at the other issues.

The answer to which types of identity are acceptable then lies in the hands of each “relying party”. In other words, each given web site decides what kind of identities it will accept. Again, some examples will help, so I'll ofer some.

Let's start with “Kim Cameron's Identity Weblog”. What kind of identities will Kim's weblog accept? You name it – I'll accept it. Anything that works for you is fine with me – I want to get a discussion going.

On the other hand, let's say you go to a site like eBay. It may allow you to use any identity (or no identity) to window shop. But it will likely expect to see a credit card identity when you make a purchase. And if you want to post things for sale, the site may well expect you to present a community identity, something to which a reputation is attached.

We could give the example of using a citizen identity to access information about your social security contributions. Or of using a professional identity to get into a professional conference.

So two things become clear.

A single relying party will often want to accept more than one kind of identity; and

A user will want to understand his or her options and select the best identity for the context

Now it is necessary to consider the Sixth Law – the Law of Human Integration. This means that the request, the selection and the proffering of identity information must be done such that the channel between the relying party (e.g. the web site) and the user who is releasing information (in accordance with the First and Second Laws) is safe – and that the options are consistent and clear. Taking all of these constraints into account simultaneously (the head almost explodes) we are faced with the Seventh Law:

The Law of Harmonious Contextual Autonomy

The unifying identity metasystem MUST facilitate negotiation between relying party and user of the specific identity and its associated encoding such that the unifying system presents a harmonious technical and human interface while permitting the autonomy of identity in different contexts.

Does this sound too hard? It's hard, but I think, as you will see in upcoming postings, that our industry has the tools we need to do this. Meanwhile the cost of not having a unifying identity metasystem will continue to grow exponentially.

It was probably eight years ago now that Doc Searls took a deep look at my work on metadirectory, which I was having trouble explaining (you can see that little changes), and said:

“Kim. It's simple. We have multiple identities on multiple systems but there's no way for us to integrate them. If this were happening in the physical world, we'd have multiple personality disorder. The internet is still psychotic.”

A thought like this never leaves you. Certainly I am convinced that as users, we need to see our various identities as part of an integrated world which none the less respects our need for independent contexts.